Report: Chinese Breach of USIS Started with SAP

Last fall, it came to light that Chinese hackers had roamed around unnoticed for months inside the network of USIS, the biggest commercial provider of background investigations to the federal US government. In fact, two of the company’s biggest customers are the Department of Homeland Security (DHS) and the Office of Personnel Management (OPM).

Onapsis Research Labs analysis finds that the breach most likely utilized an SAP attack vector that Onapsis has been tracking in the wild and warning enterprises about. It marks the first time an SAP attack against a national security service provider has been publicly uncovered.

“SAP systems have always been a target for hackers as they run the most critical and sensitive processes for the largest companies and government agencies in the world,” said Onapsis researcher Sergio Abraham, in a blog. “Examples such as the USIS breach are showing the importance of protecting our SAP Systems and eradicates the false idea of business critical applications being ‘internal and isolated.’”

The USIS attackers likely exploited either an unpatched or zero-day SAP vulnerability externally in order to access the company network; and once inside the network, they used it to pivot to other systems. This is a common approach used by attackers to gain access to employee data, customer information or even credit-card data.

The attack begins with a pivot from a system with lower security, such as a development or quality assurance system, to a critical system. The goal is to execute a remote function module in the destination system.

“SAP systems are connected to the Internet, and a single weak link is required for the attackers to start pivoting between systems and to then begin moving through the internal network,” Abraham said.

In this case, according to the forensics report, evidence shows the cyber-attacker gained access to USIS systems through an exploit in a system managed by a third party, and from there migrated to company-managed systems. The findings were largely informed by a variety of logs, including firewall logs, security event logs, VPN logs and SAP application trace logs.

The damages and information stolen are difficult to measure, but according to public reports it looks like thousands of personal records of thousands of employees who have applied for top-secret security clearances could have been stolen.

“Attackers were able to access the USIS network in late 2013 but weren’t discovered until June 2014,” Abraham said. “This means that the attackers had at least six months of access to internal and sensitive information without being noticed. The damage is difficult to estimate and shows the current lack of awareness around how SAP systems must be protected and monitored.”